Re: 8.4 release planning

Ron Mayer <rm_pg@cheapcomplexdevices.com>

From: Ron Mayer <rm_pg@cheapcomplexdevices.com>
To: Simon Riggs <simon@2ndQuadrant.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Stephen Frost <sfrost@snowman.net>, Josh Berkus <josh@agliodbs.com>, "Joshua D. Drake" <jd@commandprompt.com>, Robert Haas <robertmhaas@gmail.com>, Merlin Moncure <mmoncure@gmail.com>, "Jonah H. Harris" <jonah.harris@gmail.com>, Gregory Stark <stark@enterprisedb.com>, Bruce Momjian <bruce@momjian.us>, Bernd Helmle <mailings@oopsware.de>, Peter Eisentraut <peter_e@gmx.net>, pgsql-hackers@postgresql.org
Date: 2009-01-27T14:20:41Z
Lists: pgsql-hackers
Simon Riggs wrote:
> The process works like this: software gets developed, then it gets
> certified. If its not certified, then Undercover Elephant will not be
> used by the secret people. We can't answer the "will it be certified?"
> question objectively yet. If we have someone willing to write the
> software and put it forward for certification then we should trust that
> it probably will pass certification and if it doesn't we will see
> further patches to allow that to happen.

For what it's worth, we can see that there are indeed
Postgres forks on the Common Criteria certified list.

 http://www.commoncriteriaportal.org/products_DB.html
    PostgreSQL Certified Version V8.1.5 for Linux
    Manufacturer 	Assurance level 	Certification date
    NTT DATA CORPORATION 	EAL1 	22-MAR-07
    Certification report
    c0089_ecvr.pdf
    http://www.commoncriteriaportal.org/files/epfiles/c0089_ecvr.pdf

though at EAL1 they're quite far from the EAL4+ that DB2,
Oracle, etc get.

That someone went through the effort suggests that there's at least
some interest in getting security certifications for postgres.

It'd be interesting to hear from whomever at NTT was involved with
that certification, if SEPostgreSQL would have either made that
process easier or help postgres achieve a higher level.